A hacker can listen to your calls with nothing more than your phone number

Hackers can read all your text messages, grab personal
information, and listen to voice calls with nothing more than
your cellular phone number.

The glaring security vulnerability lies within the
worldwide network of mobile carriers that use Signaling
System Seven (SS7) to share data, so it's not dependent
on any particular phone. In a new
report for 60 Minutes, German cybersecurity researchers
showed just how much they could get.

"[We can] track their whereabouts, know where they go
for work, which other people they meet when," researcher Karsten
Nohl said. "You can spy on whom they call and what they say over
the phone. And you can read their texts."

You can think of SS7 as being sort of like the
cellular version of
banking communications standards. Just as different banks
need a common language to be able transfer people's money around
the world, mobile carriers use SS7 to pass customer data and
allow a person who lives in New York City to be able to jump
onto a cell network in London when they travel there.

It's a vital piece of the mobile puzzle, but the problem
is, security among the 800-plus mobile operators with access
can be hit-or-miss. The hackers working with 60 Minutes obtained
access legally with agreement from a mobile carrier for testing
purposes, but it's actually not that difficult to get in without
a carrier's blessing.

Hackers can break in illegally by going through unsecured
access points on the internet, or they can even buy access
from carriers for a few hundred bucks.

"If you plan on doing some SMS service or something like that you
might actually need SS7 access, so it can simply be bought,"
explained researcher Tobias Engel at the Chaos Communication
Congress in Dec. 2014.

Though the exploit has been a known for nearly two years, the 60
Minutes report shows it is still clearly a problem. And since
it's at the network, and not the phone level, there's very little
consumers can do to protect themselves.

"The mobile network [is] independent from the little GPS
chip in your phone," Nohl said. "So any choices ... choosing a
phone, choosing a pin number, installing or not installing
certain apps, have no influence over what we are showing because
this is targeting the mobile network. That of course, is not
controlled by any one customer."

Many carriers are reportedly working on a replacement of SS7 with
something more secure, but it will likely remain
backward-compatible with the old system — leaving users
vulnerable — for many years afterward as other carriers make the
switch,
according to Ars Technica.